TW
Tripwire
Find contracts. Test them. Review real vulns.

Analysis Run

3fcf3cea-d5c5-42f9-8b26-74e039fa848f

failed
Chain ID
1
Address
0x1304dd6bd1cf81b6e72d334b2281a7c96a25cda1
Block Number
Created
Tue, Dec 30, 2025 2:44 AM
Review Summary

What survived the funnel

Open this run to answer one question: is this real attacker-relevant behavior with real impact, or just normal contract plumbing?

back to vulns open contract
Confirmed
0
Validated
0
Source
Verified
Review Backing
Not yet
Best current signal
Untrusted DELEGATECALL target reachable
crit 0 high 0 direct contract
Review Checklist
1. Read the findings table first. Ignore raw jobs until the result looks real.
2. Confirm attacker control, not just the existence of a sink.
3. Confirm money or privilege impact.
4. Keep it if the behavior is real. Kill it if this is normal proxy, admin, or upgrade plumbing.

Processing Jobs

Status & attempts
ID Type Status Attempts Heartbeat
30672 report.consolidate complete 1 / 1 3 months ago
75028 artifact.fetch failed 1 / 3 1 week ago
75029 tool.cast_disasm complete 1 / 3 1 week ago
75030 analysis.bundle complete 1 / 3 1 week ago
75031 capability.graph complete 1 / 3 1 week ago
75032 detector.run complete 1 / 3 1 week ago
75033 validation.fork complete 1 / 3 1 week ago

Artifact

Runtime bytecode: available
Creation TX:
Deployer:
Proxy: no
Implementation:
Verified Source: yes

Slither

tool.slither

No slither job recorded yet.

Codex

report.consolidate
Job Status
complete
Attempts
1 / 1
Findings
0
No findings?
yes
Summary
No exploitable vulnerabilities found in the first-party Stream implementation; core flows use checks-effects-interactions and SafeERC20.
View stderr 
[codex:1226692] OpenAI Codex v0.77.0 (research preview)
[codex:1226692] --------
[codex:1226692] workdir: /tmp/codex-multi-60l150gl
[codex:1226692] model: gpt-5.2-codex
[codex:1226692] provider: openai
[codex:1226692] approval: never
[codex:1226692] sandbox: read-only
[codex:1226692] reasoning effort: xhigh
[codex:1226692] reasoning summaries: auto
[codex:1226692] session id: 019b6d20-5b5b-7793-bb3c-de942865b6af
[codex:1226692] --------
[codex:1226692] user
[codex:1226692] You are a security auditor. Audit this Solidity codebase for exploitable vulnerabilities.
[codex:1226692] Focus on: reentrancy, access control, upgradeability/proxy issues, signature validation, oracle manipulation,
[codex:1226692] accounting/invariant breaks, external call patterns, unchecked return values, and dangerous delegatecall.
[codex:1226692] 
[codex:1226692] Scope rules:
[codex:1226692] - You MUST fully read `AUDIT_BUNDLE.txt` before concluding. It contains the complete contents of all first-party `contracts/**/*.sol` files.
[codex:1226692] - Treat `lib/` and `@openzeppelin/` as third-party dependencies; skip them unless there is a concrete misuse angle in first-party code.
[codex:1226692] 
[codex:1226692] Output MUST be valid JSON matching the provided schema.
[codex:1226692] - If you find nothing meaningful: set no_findings=true and findings=[].
[codex:1226692] - Otherwise: set no_findings=false and include findings with severity/category/title and file/line locations when possible.
[codex:1226692] 
[codex:1226692] Output constraints (IMPORTANT):
[codex:1226692] - severity MUST be exactly one of: info, low, medium, high, critical (lowercase).
[codex:1226692] - category MUST be exactly one of: access_control, reentrancy, math, oracle, upgradeability, auth, other.
[codex:1226692] mcp startup: no servers
[codex:1226692] 
[codex:1226692] thinking
[codex:1226692] **Reading AUDIT_BUNDLE.txt**
[codex:1226692] exec
[codex:1226692] /bin/bash -lc ls in /tmp/codex-multi-60l150gl succeeded in 5ms:
[codex:1226692] AUDIT_BUNDLE.txt
[codex:1226692] codex-output-schema.json
[codex:1226692] contracts
[codex:1226692] exec
[codex:1226692] /bin/bash -lc 'cat AUDIT_BUNDLE.txt' in /tmp/codex-multi-60l150gl succeeded in 5ms:
[codex:1226692] This file concatenates the full contents of first-party Solidity sources for auditing.
[codex:1226692] 
[codex:1226692] ================================================================================
[codex:1226692] FILE: contracts/lib/openzeppelin-contracts/contracts/interfaces/IERC20.sol
[codex:1226692] ================================================================================
[codex:1226692] // SPDX-License-Identifier: MIT
[codex:1226692] // OpenZeppelin Contracts v4.4.1 (interfaces/IERC20.sol)
[codex:1226692] 
[codex:1226692] pragma solidity ^0.8.0;
[codex:1226692] 
[codex:1226692] import "../token/ERC20/IERC20.sol";
[codex:1226692] 
[codex:1226692] ================================================================================
[codex:1226692] FILE: contracts/lib/openzeppelin-contracts/contracts/token/ERC20/IERC20.sol
[codex:1226692] ================================================================================
[codex:1226692] // SPDX-License-Identifier: MIT
[codex:1226692] // OpenZeppelin Contracts (last updated v4.6.0) (token/ERC20/IERC20.sol)
[codex:1226692] 
[codex:1226692] pragma solidity ^0.8.0;
[codex:1226692] 
[codex:1226692] 
[codex:1226692] thinking
[codex:1226692] **Analyzing potential reentrancy and initialization issues**
[codex:1226692] exec
[codex:1226692] /bin/bash -lc 'rg -n "FILE: contracts/src" AUDIT_BUNDLE.txt' in /tmp/codex-multi-60l150gl succeeded in 6ms:
[codex:1226692] 969:FILE: contracts/src/IStream.sol
[codex:1226692] 982:FILE: contracts/src/Stream.sol
[codex:1226692] 
[codex:1226692] 
[codex:1226692] 
[codex:1226692] thinking
[codex:1226692] **Evaluating potential stream vulnerabilities and edge cases**
[codex:1226692] thinking
[codex:1226692] **Confirming internal call access controls and reinitialization effects**
[codex:1226692] 
[codex:1226692] I’m carefully checking how the external `recoverTokens(address to)` calls the internal `recoverTokens` with `onlyPayer`, confirming the modifier enforces access despite internal calls. I also explore how multiple `initialize` calls by the factory could reset internal balances, potentially affecting withdrawal logic or token recovery, though these seem controlled by factory trust. There’s a complex dance around reentrancy and state updates, but overall the access control and invariants appear solid given the design assumptions.
[codex:1226692] thinking
[codex:1226692] **Assessing edge cases around cancel, reentrancy, and token accounting**
[codex:1226692] 
[codex:1226692] I’m examining subtle behaviors in cancel and withdraw related to block timestamps, underfunding, and token recovery order. I note that `cancel` doesn’t transfer funds but adjusts balances safely, and that external token transfers after state updates are generally safe here. Minor issues like allowance of zero address in transfers or potential DoS if factory misbehaves appear low risk. Overall, no clear vulnerabilities surface, but there are interesting invariant edge cases and reentrancy considerations that seem handled well.
[codex:1226692] exec
[codex:1226692] /bin/bash -lc 'cat codex-output-schema.json' in /tmp/codex-multi-60l150gl succeeded in 5ms:
[codex:1226692] {"type": "object", "additionalProperties": false, "required": ["no_findings", "summary", "findings"], "properties": {"no_findings": {"type": "boolean"}, "summary": {"type": "string"}, "findings": {"type": "array", "items": {"type": "object", "additionalProperties": false, "required": ["severity", "category", "title", "evidence", "locations", "exploit_scenario", "recommendation"], "properties": {"severity": {"type": "string", "enum": ["info", "low", "medium", "high", "critical"]}, "category": {"type": "string", "enum": ["access_control", "reentrancy", "math", "oracle", "upgradeability", "auth", "other"]}, "title": {"type": "string"}, "exploit_scenario": {"type": "string"}, "recommendation": {"type": "string"}, "evidence": {"type": "string"}, "locations": {"type": "array", "items": {"type": "string"}}}}}}}
[codex:1226692] 
[codex:1226692] thinking
[codex:1226692] **Summarizing audit findings and reasoning**
[codex:1226692] 
[codex:1226692] I'm crafting a JSON response that declares no exploitable vulnerabilities found in the Stream contracts, carefully weighing potential risks like factory reinitialization and reentrancy. While noting trust assumptions around factory control, the overall code uses sound practices and safeguards, so the summary stays concise and focused on no findings.
[codex:1226692] codex
[codex:1226692] {"no_findings":true,"summary":"No exploitable vulnerabilities found in the first-party Stream implementation; core flows use checks-effects-interactions and SafeERC20.","findings":[]}
[codex:1226692] tokens used
[codex:1226692] 28,724
[codex:1226692] {"no_findings":true,"summary":"No exploitable vulnerabilities found in the first-party Stream implementation; core flows use checks-effects-interactions and SafeERC20.","findings":[]}
Metadata 
{
    "codex": {
        "ran_at": "2025-12-30T02:44:17.975138+00:00",
        "returncode": 0
    },
    "summary": "No exploitable vulnerabilities found in the first-party Stream implementation; core flows use checks-effects-interactions and SafeERC20.",
    "raw_final": {
        "summary": "No exploitable vulnerabilities found in the first-party Stream implementation; core flows use checks-effects-interactions and SafeERC20.",
        "findings": [],
        "no_findings": true
    },
    "no_findings": true,
    "schema_version": 1
}

Opcode Heuristics

tool.cast_disasm
Delegatecall
1
Selfdestruct
0
CREATE2
0
CALL-family (heavy)
0
EXT*/BALANCE
1
Total opcodes
151
Flags
delegatecall_present
View cast disassembly output 
00000000: CALLDATASIZE
00000001: PUSH1 0x2c
00000003: JUMPI
00000004: CALLVALUE
00000005: RETURNDATASIZE
00000006: MSTORE
00000007: PUSH32 0x9e4ac34f21c619cefc926c8bd93b54bf5a39c7ab2127a895af1cc0691d7e3dff
00000028: MSIZE
00000029: RETURNDATASIZE
0000002a: LOG1
0000002b: STOP
0000002c: JUMPDEST
0000002d: CALLDATASIZE
0000002e: RETURNDATASIZE
0000002f: RETURNDATASIZE
00000030: CALLDATACOPY
00000031: RETURNDATASIZE
00000032: RETURNDATASIZE
00000033: RETURNDATASIZE
00000034: RETURNDATASIZE
00000035: PUSH2 0x00b2
00000038: DUP1
00000039: PUSH1 0x62
0000003b: CALLDATASIZE
0000003c: CODECOPY
0000003d: CALLDATASIZE
0000003e: ADD
0000003f: RETURNDATASIZE
00000040: PUSH20 0x0b9dff1aba32a9fa95011c7f097ec672f689038f
00000055: GAS
00000056: DELEGATECALL
00000057: RETURNDATASIZE
00000058: RETURNDATASIZE
00000059: SWAP4
0000005a: DUP1
0000005b: RETURNDATACOPY
0000005c: PUSH1 0x60
0000005e: JUMPI
0000005f: REVERT
00000060: JUMPDEST
00000061: RETURN
00000062: UNKNOWN(0x0F)
00000063: UNKNOWN(0xD2)
00000064: MOD
00000065: UNKNOWN(0xFC)
00000066: PUSH27 0x7dbcd5661157edcb1ffdd0d02a61ffb1a32fc9f9d8b2cf86c068ca
00000082: UNKNOWN(0xE1)
00000083: BALANCE
00000084: ADDMOD
00000085: DUP1
00000086: SWAP6
00000087: SELFBALANCE
00000088: UNKNOWN(0xEF)
00000089: PUSH18 0x051a0a9ed090b3a76c0b3e50d2c2a5142133
0000009c: MSIZE
0000009d: UNKNOWN(0x26)
0000009e: STOP
0000009f: STOP
000000a0: STOP
000000a1: STOP
000000a2: STOP
000000a3: STOP
000000a4: STOP
000000a5: STOP
000000a6: STOP
000000a7: STOP
000000a8: STOP
000000a9: STOP
000000aa: STOP
000000ab: STOP
000000ac: STOP
000000ad: STOP
000000ae: STOP
000000af: STOP
000000b0: STOP
000000b1: STOP
000000b2: STOP
000000b3: STOP
000000b4: STOP
000000b5: STOP
000000b6: STOP
000000b7: STOP
000000b8: STOP
000000b9: MSTORE8
000000ba: UNKNOWN(0xD1)
000000bb: UNKNOWN(0xAC)
000000bc: LT
000000bd: STOP
000000be: LOG0
000000bf: UNKNOWN(0xB8)
000000c0: PUSH10 0x91c6218b36c1d19d4a2e
000000cb: SWAP15
000000cc: UNKNOWN(0xB0)
000000cd: UNKNOWN(0xCE)
000000ce: CALLDATASIZE
000000cf: MOD
000000d0: UNKNOWN(0xEB)
000000d1: BASEFEE
000000d2: STOP
000000d3: STOP
000000d4: STOP
000000d5: STOP
000000d6: STOP
000000d7: STOP
000000d8: STOP
000000d9: STOP
000000da: STOP
000000db: STOP
000000dc: STOP
000000dd: STOP
000000de: STOP
000000df: STOP
000000e0: STOP
000000e1: STOP
000000e2: STOP
000000e3: STOP
000000e4: STOP
000000e5: STOP
000000e6: STOP
000000e7: STOP
000000e8: STOP
000000e9: STOP
000000ea: STOP
000000eb: STOP
000000ec: STOP
000000ed: STOP
000000ee: PUSH8 0x5e62500000000000
000000f7: STOP
000000f8: STOP
000000f9: STOP
000000fa: STOP
000000fb: STOP
000000fc: STOP
000000fd: STOP
000000fe: STOP
000000ff: STOP
00000100: STOP
00000101: STOP
00000102: STOP
00000103: STOP
00000104: STOP
00000105: STOP
00000106: STOP
00000107: STOP
00000108: STOP
00000109: STOP
0000010a: STOP
0000010b: STOP
0000010c: STOP
0000010d: STOP
0000010e: PUSH13

Findings

validated = confirmed for call sinks; sink observed for others
Severity Category Tool Title Confidence Validated Confirmed Details
critical upgradeability detector Untrusted DELEGATECALL target reachable 70 no no
view
validation_json 
{
    "sink": "DELEGATECALL",
    "errors": 10,
    "status": "unknown",
    "attempts": 11,
    "confirmed": false,
    "trace_mode": "callTracer",
    "call_targets": null,
    "matched_probe": null,
    "target_varies": null,
    "classification": "no_sink"
}
witness_json 
{
    "notes": "heuristic witness; entrypoints are best-effort selectors with zeroed calldata",
    "constraints": [],
    "entrypoints": [
        {
            "calldata": "0x",
            "selector": "fallback",
            "calldata_variants": [
                "0x"
            ]
        }
    ]
}
evidence_json 
{
    "examples": [
        {
            "pc": 86,
            "opcode": "DELEGATECALL",
            "returndata_checked": null,
            "value_expression_category": "n/a",
            "target_expression_category": "computed"
        }
    ],
    "guards_detected": [],
    "delegatecall_count": 1,
    "untrusted_delegatecall_count": 1
}
medium upgradeability cast DELEGATECALL present 80 no
view
evidence_json 
{
    "notes": "delegatecall enables execution in caller context; common in proxies/upgradeable patterns",
    "delegatecall_count": 1
}